Jump to content

Despite Premium--PC is infected


Recommended Posts

I had my MWB Premium set to scan every day and update  daily, yet this evening I noticed that I could not run a scan. I looked in the settings and found that realtime protection was disabled, but pressing the Fix Now button did nothing....so I rebooted.

Problem worsened to the point that even the user console doesn't load.

I tried all 13 Chameleon buttons to no avail---kept getting variants of this "A reboot is recommended to remove temporary directory C:\ProgramFiles<86>\MalwarebytesAnti-Malware\Chameleon\Windows\qynhs"

with the last part changing to \irewtit

OR \dlgyj OR \scugshjdd      AND SO ON

 

Obviously, it isn't just a random glitch.

I also tried running MWB Premium and Chameleon in Safe Mode--also futile.

A pop-up screen appears stating "The execution unknown software exception (0x40000015) occurred in the application at 0x73b4d6fd. Click on OK to terminate the program"

The other program's message was the same except for 0x740ab6fd being the location of the exception (I don't recall if the 1st was the Chameleon message or the MWB Premium message.)

 

So basically some crook has messed up my computer----and many other people's as well judging by the 3-4 day backlog of help requests to MWB support.

I downloaded and ran Farbar but the mbam check would not run.

 

 

 

 

 

 

FRST.txt

Addition.txt

Link to post
Share on other sites

Initially, I was going to try that but there is a 3-4  business day backlog and I'm rather distressed about the computer being messed up.

Waiting 3-4 business days for help is too long to wait.

Truly, I'm bummed. I had thought that getting the Pro version would have kept me from having a problem.

 

I thought I used the internet safely but obviously I either did something wrong or someone found a chink in the MWB armor.

 

Kevin, your help would be appreciated.

Link to post
Share on other sites

Thanks for the update, run the following:

 

Please download RogueKiller and save it to your desktop from the following link: http://www.bleepingcomputer.com/download/roguekiller/

 


Quit all running programs.
For Windows XP, double-click to start.
For Vista,Windows 7/8, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
Read and accept the EULA (End User Licene Agreement)
Click Scan to scan the system.
When the scan completes Close the program > Don't Fix anything!
Post back the report which should be located on your desktop.

 

Kevin

Link to post
Share on other sites

I ran Roguekiller but had my NAV running, is that OK? I'm afraid to disable it for fear of making things worse.

If I need to temporarily disable it and disconnect from the internet, please let me know.

The log does not appear on the desktop and despite copying it, it will not paste here.

I can email the log, as I was able to copy it to an email that I sent to myself.

The log isn't on the desktop because the malware has modified the registry to hide desktop icons, according to Roguekiller.

 

 

Link to post
Share on other sites

Got the PM with RK log, the log is clean, no issues to worry about... Previous FRST logs are also clean....

 

Go to this link: https://forums.malwarebytes.org/index.php?/topic/146017-mbam-clean-removal-process-2x/ follow the relevant instructions to reinstall malwarebytes, make sure to run mbam-clean.exe as per the instructions...

 

Does MB now work correctly?

Link to post
Share on other sites

I'm very pleased to report that uninstalling via the MWB uninstall tool and doing a reinstall has solved the problem.

 

I am puzzled, though, as to why the Roguekiller log mentions registry keys for  hiding desktop icons and why the Roguekiller log does not appear on the desktop.

Link to post
Share on other sites

Again that log is clean, do not always believe what a log tells you. Many times running entries that affect what RogueKiller tries to do will be stopped, or as the french developer states "Killed"

 

SuperAntiSpyware is not a ZeroAccess entry, i`m really unsure why that entry shows that way. One point to watch for is the bracketed number on the line end. In this case is [7] that is accepted as a non malicious entry [TermProc] means the Process was Terminated. That can happen for many reasons, maybe the program is effecting RK function....

 

I apologize about how to access the log, when the main scan is completed the "Report" tab is selected to access the log.....

 

If you are still unsure about the SUPERANTISPYWARE.EXE entry maybe a second opinion can be found by upload to VirusTotal...

 

A quick check at SystemLookUp see nothing wrong - http://www.systemlookup.com/search.php?type=filename&search=SUPERANTISPYWARE.EXE&s=

 

Tell me your thoughts...

Link to post
Share on other sites

Thanks for the update, just be running the following to clean up....

 

Download "Delfix by Xplode" and save it to your desktop.

 

"Delfix link mirror"

 

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

 

Make Sure the following items are checked:

 


    Activate UAC
    Remove disinfection tools
    Create registry backup
    Purge System Restore
    Reset system settings

 

Now click on "Run" and wait patiently until the tool has completed.

 

The tool will create a log when it has completed. We don't need you to post this.

 

Part of the routine will be to create a registry back up with ERUNT,  the back up will be created here:

 

C:\Windows\ERUNT

 

When all is known to be well with your system you can delete that back up folder if you consider it as not needed...

 

Next,

 

Read the following link to fully understand PC security and best practices, you may find it useful....

 

http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/#entry2316629

 

If no remaining issues/concerns are we ok to close out...

 

Regards,

 

Kevin

Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.